On 05/26/2015 04:22 PM, Jakub Hrozek wrote:
>On Tue, May 26, 2015 at 03:39:20PM +0200, Pavel Reichl wrote:
>>On 05/26/2015 03:09 PM, Jakub Hrozek wrote:
>>>On Tue, May 26, 2015 at 11:13:38AM +0200, Jakub Hrozek wrote:
>>>>I'll test the patch now..
>>>Functionality passed:
>>>
>>>[jhrozek@client] sssd $ [(review)] su - jhrozek
>>>Password: (I used the IPA admin password here)
>>>[jhrozek@client] ~ $ [] klist
>>>Ticket cache: KEYRING:persistent:1000:krb_ccache_tovv73R
>>>Default principal: admin(a)LINUX.TEST
>>>
>>>Valid starting Expires Service principal
>>>05/26/2015 15:07:31 05/27/2015 15:07:31 krbtgt/LINUX.TEST(a)LINUX.TEST
>>>
>>>So fix the nitpicks and I'll ack :-)
>>Great, thanks.
>>
>>Please see attached patch. I'm completely sure that I've absolutely
sorted
>>out the nitpicks...unless I've made them even worse. :-)
>>
>>I think that the coverity warning was false positive, because the map value
>>would never be read when uninitialized, but to get rid of the warning I
>>added a check and call the function conditionally. Would you prefer If I
>>rather initialized the variable?
>This is fine.
>
>I found one typo in manpage (sorry..), the rest looks good to me now. I
>tested proxy user, IPA user and AD trust user, all worked fine.
Sorry for missing that. Fixed.
I'm happy that testing passed.
>
>>>_______________________________________________
>>>sssd-devel mailing list
>>>sssd-devel(a)lists.fedorahosted.org
>>>https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
>> From 81473f2441dcdfb3c04864414d9bb30a20a2740d Mon Sep 17 00:00:00 2001
>>From: Pavel Reichl <preichl(a)redhat.com>
>>Date: Thu, 30 Apr 2015 06:43:05 -0400
>>Subject: [PATCH] krb5: new option krb5_map_user
>>
>>New option `krb5_map_user` providing mapping of ID provider names to
>>Kerberos principals.
>>
>>Resolves:
>>https://fedorahosted.org/sssd/ticket/2509
>[...]
>
>>diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
>>index
8d5bbeed6ce6ec6bcb2db09895ca045905338639..eee6dfbdf9f8ae75b6b20d8f3d3cf21d7e38971f 100644
>>--- a/src/man/sssd-krb5.5.xml
>>+++ b/src/man/sssd-krb5.5.xml
>>@@ -516,6 +516,42 @@
>> </listitem>
>> </varlistentry>
>>+ <varlistentry>
>>+ <term>krb5_map_user (string)</term>
>>+ <listitem>
>>+ <para>
>>+ The list of mappings is given as a comma-separated
>>+ list of pairs
<quote>username:primary</quote>
>>+ where <quote>username</quote> is a UNIX
user name
>>+ and <quote>primary</quote> is a user
part of
>>+ a kerberos principal. This mapping is used when
>>+ user is authenticating using
>>+ <quote>auth_provider = krb5</quote>.
>>+ </para>
>>+
>>+ <para>
>>+ example:
>>+<programlisting>
>>+krb5_realm = REALM
>>+krb5_map_user = joe:juser,dick:richard
>>+</programlisting>
>>+ </para>
>>+ <para>
>>+ <quote>joe</quote> and
<quote>vince</quote> are
>>+ UNIX user names and <quote>juser</quote>
and
>>+ <quote>rraines</quote> are primaries of
kerberos
>>+ principals. For user <quote>joe</quote>
resp.
>>+ <quote>dick</quote> SSSD will try to
kinit as
>>+ <quote>dick@REALM</quote> resp.
>>+ <quote>richard@REALM</quote>.
>The example gives joe and dick but the text talks about joe and vince.
>_______________________________________________
>sssd-devel mailing list
>sssd-devel(a)lists.fedorahosted.org
>https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
From 923e68ba56f276db473a38fffe339a0dc9770a4f Mon Sep 17 00:00:00
2001
From: Pavel Reichl <preichl(a)redhat.com>
Date: Thu, 30 Apr 2015 06:43:05 -0400
Subject: [PATCH] krb5: new option krb5_map_user
New option `krb5_map_user` providing mapping of ID provider names to
Kerberos principals.
Resolves:
https://fedorahosted.org/sssd/ticket/2509
---
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/SSSDConfigTest.py | 9 ++-
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
src/config/etc/sssd.api.d/sssd-ipa.conf | 1 +
src/config/etc/sssd.api.d/sssd-krb5.conf | 1 +
src/man/sssd-krb5.5.xml | 36 ++++++++++
src/providers/ad/ad_opts.h | 1 +
src/providers/ipa/ipa_opts.h | 1 +
src/providers/krb5/krb5_access.c | 8 +--
src/providers/krb5/krb5_auth.c | 76 ++++++++++++++++++---
src/providers/krb5/krb5_auth.h | 5 +-
src/providers/krb5/krb5_common.h | 8 +++
src/providers/krb5/krb5_init_shared.c | 11 +++
src/providers/krb5/krb5_opts.h | 1 +
src/providers/krb5/krb5_utils.c | 114 +++++++++++++++++++++++++++++++
src/providers/krb5/krb5_utils.h | 5 ++
src/tests/krb5_utils-tests.c | 111 ++++++++++++++++++++++++++++++
17 files changed, 372 insertions(+), 18 deletions(-)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 31c9c648045f1e2b031c6f9b2196b44e9c4c4313..f58c52faf7dd3f9199bd0af4286546d4fe804a88
100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -215,6 +215,7 @@ option_strings = {
'krb5_fast_principal' : _("Selects the principal to use for
FAST"),
'krb5_canonicalize' : _("Enables principal canonicalization"),
'krb5_use_enterprise_principal' : _("Enables enterprise
principals"),
+ 'krb5_map_user' : _('A mapping from user names to kerberos principal
names'),
# [provider/krb5/chpass]
'krb5_kpasswd' : _('Server where the change password service is running
if not on the KDC'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index db16bc433cf4c47c6a15760d85b322a6655aa0c1..476e30806ceda64b14d25f5545a63785efaacf15
100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -622,7 +622,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'krb5_fast_principal',
'krb5_canonicalize',
'krb5_use_enterprise_principal',
- 'krb5_use_kdcinfo'])
+ 'krb5_use_kdcinfo',
+ 'krb5_map_user'])
options = domain.list_options()
@@ -782,7 +783,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'krb5_fast_principal',
'krb5_canonicalize',
'krb5_use_enterprise_principal',
- 'krb5_use_kdcinfo']
+ 'krb5_use_kdcinfo',
+ 'krb5_map_user']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
@@ -983,7 +985,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'krb5_fast_principal',
'krb5_canonicalize',
'krb5_use_enterprise_principal',
- 'krb5_use_kdcinfo'])
+ 'krb5_use_kdcinfo',
+ 'krb5_map_user'])
options = domain.list_options()
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf
b/src/config/etc/sssd.api.d/sssd-ad.conf
index 5a5ea0c36b07d7497c1caa4208c7270d6de6dcc9..c46f3a7cb50db519d113e15f425c7f746d34ad81
100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -139,6 +139,7 @@ krb5_renew_interval = str, None, false
krb5_use_fast = str, None, false
krb5_fast_principal = str, None, false
krb5_use_enterprise_principal = bool, None, false
+krb5_map_user = str, None, false
[provider/ad/access]
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf
b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 230bdd7df3e7512eab9096c136624cdd7923ed96..6bae609fa9ff57e70c195b858eeea4eca680f62f
100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -155,6 +155,7 @@ krb5_renew_interval = str, None, false
krb5_use_fast = str, None, false
krb5_fast_principal = str, None, false
krb5_use_enterprise_principal = bool, None, false
+krb5_map_user = str, None, false
[provider/ipa/access]
ipa_hbac_refresh = int, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-krb5.conf
b/src/config/etc/sssd.api.d/sssd-krb5.conf
index e65ed01b688078aff090ff53b91779595fd6f465..b7423b74f7b6845d235cc523a8e249d6a74d69ab
100644
--- a/src/config/etc/sssd.api.d/sssd-krb5.conf
+++ b/src/config/etc/sssd.api.d/sssd-krb5.conf
@@ -21,6 +21,7 @@ krb5_use_fast = str, None, false
krb5_fast_principal = str, None, false
krb5_canonicalize = bool, None, false
krb5_use_enterprise_principal = bool, None, false
+krb5_map_user = str, None, false
[provider/krb5/access]
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index 8d5bbeed6ce6ec6bcb2db09895ca045905338639..3d3c58cf6dfbd31c76d7a88e0ec849c10e15fe76
100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -516,6 +516,42 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>krb5_map_user (string)</term>
+ <listitem>
+ <para>
+ The list of mappings is given as a comma-separated
+ list of pairs <quote>username:primary</quote>
+ where <quote>username</quote> is a UNIX user
name
+ and <quote>primary</quote> is a user part of
+ a kerberos principal. This mapping is used when
+ user is authenticating using
+ <quote>auth_provider = krb5</quote>.
+ </para>
+
+ <para>
+ example:
+<programlisting>
+krb5_realm = REALM
+krb5_map_user = joe:juser,dick:richard
+</programlisting>
+ </para>
+ <para>
+ <quote>joe</quote> and
<quote>dick</quote> are
+ UNIX user names and <quote>juser</quote> and
+ <quote>richard</quote> are primaries of
kerberos
+ principals. For user <quote>joe</quote> resp.
+ <quote>dick</quote> SSSD will try to kinit as
+ <quote>dick@REALM</quote> resp.
+ <quote>richard@REALM</quote>.
+ </para>
+
+ <para>
+ Default: not set
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</para>
</refsect1>
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 15b140434fec815aeee989e24cc1b7930f040add..6e859447f927ef683d53bf08d25d658764581348
100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -168,6 +168,7 @@ struct dp_option ad_def_krb5_opts[] = {
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+ { "krb5_map_user", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 8a0764265521e86ca86249e4b62f0f967bc44189..34e9e167eb46f290d017b5af817571122b359b4f
100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -310,6 +310,7 @@ struct dp_option ipa_def_krb5_opts[] = {
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+ { "krb5_map_user", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/krb5/krb5_access.c b/src/providers/krb5/krb5_access.c
index 7fda2a37922a537f7fe53d629c4e0cb4df1bd4da..3afb90150d77ef4ab2c1b5b79abb95d68eb131f6
100644
--- a/src/providers/krb5/krb5_access.c
+++ b/src/providers/krb5/krb5_access.c
@@ -64,7 +64,8 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx,
state->krb5_ctx = krb5_ctx;
state->access_allowed = false;
- ret = krb5_setup(state, pd, krb5_ctx, &state->kr);
+ ret = krb5_setup(state, pd, krb5_ctx, be_ctx->domain->case_sensitive,
+ &state->kr);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_setup failed.\n");
goto done;
@@ -105,9 +106,8 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx,
goto done;
break;
case 1:
- ret = find_or_guess_upn(state, res->msgs[0], krb5_ctx,
- be_ctx->domain, pd->user, pd->domain,
- &state->kr->upn);
+ ret = find_or_guess_upn(state, res->msgs[0], krb5_ctx, be_ctx->domain,
+ state->kr->user, pd->domain,
&state->kr->upn);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "find_or_guess_upn failed.\n");
goto done;
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 148b08fdf860e92d00be0582eb73a822113f3880..8c851442b31994f819f33722bb67d19bb01e4b77
100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -36,6 +36,7 @@
#include "util/find_uid.h"
#include "util/auth_utils.h"
#include "db/sysdb.h"
+#include "util/sss_utf8.h"
#include "util/child_common.h"
#include "providers/krb5/krb5_auth.h"
#include "providers/krb5/krb5_utils.h"
@@ -175,15 +176,51 @@ static int krb5_cleanup(void *ptr)
return EOK;
}
+static errno_t
+get_krb_primary(struct map_id_name_to_krb_primary *name_to_primary,
+ char *id_prov_name, bool cs, const char **_krb_primary)
+{
+ errno_t ret;
+ int i = 0;
+
+ while(name_to_primary != NULL &&
+ name_to_primary[i].id_name != NULL &&
^^
I thought we have a convention to use
binary operatort in the begining of
line and not at the end.
IIRC Stephen sent mail with proposal and we agreed.
Sumit uses it quite often.
LS